Dear friends, like someone said before me in the list : neither of both extrems 
could be pretty good!!

 one for dangerous the other  for heavy dutty requeirements in maintenance for 
users changes...

 

 thus  leave the system open with out Firewall+ IDS system   this will be 
dangerous 

,  or  closing the   firewall at all ,  if you needs  to  lead  with  users 
that will be travelling or changing from ip address ,  and need to use  the 
same account from any IP, from anywhere.. then the users will be angry any 
timne that they can't make a call.

 

 

So i think we must workaround the needs and search the mix that better serves 
to our purproses. many times  the solution may seems something   "out  of good 
arts rules" or , but if it works  with efficciency, and it is non expensive...  
 then " ARE WELLCOME"

 

VPNs routed end to end with VPN- Routers requeires some hardware that limits 
the  mobile use and requeires more expensive  hard, i.e.  if i have my sip 
acocunt configured on my  handheld  using it with wifi behind a VPN router i 
can't to use it to  make calls in a hotel or airpot  or any  wifi zones o 
hotspot, with the exception that this unit can run a vpn client too.

 

on other hand,   if i have a notebook, laptop or netbook using a softphone with 
 TLS may be usefull,  but  a bunch of IP telephones, sofphones and gateway   
not support TLS , or many protocols ,  then it will depend on the user ....

 

On my mind  asking to my self, " some advice to follow?? " and the answer could 
 be 

 

try using   services that enable me to  locate  users  from domains and  at the 
same time  define yours accoutns using it ... it may  requieres aditional 
efforts to use them, but setting up the peers using  host with DNS resolution , 
avoiding the resgiter use from users,may help  

 

host= my.domain

 

What will be happen  if the ip changes  or the user hasn't your own domain???  
askme  again  , and asnwer me:

 

 

try this DDNS service like this :

 

  host=my.domain.in.prefer.ddns.service.

 

may be  helpull ,   any servers from popular ones, ( dyndns, no-ip, ...)

 it will requiere that the user can run at same time a DDNS client ( many 
router/ATAs/Gateways have  embeded on them) and  a softphone/SIP Client from 
same ip address,

  and the other end ,  on the   PBX , also need  reload the sip module each 
time that the ip changes , to reload the news ip  from those domains, this must 
be  so often like the  client's ip changes...

 

WHAT A  CHEAP SOLUTION !!! 

 

 

this task for reload ,  could be MADE   at fixed period of time , ie the same 
value  that you usually speficiy  in the expire options  for registering , thus 
the "GAP " between the old ip and the new,   has the same behavior if you 
customer changes th ip addres  with out re-registering,  ie  an user  using 
DHCP in you internet conection ,  that changes your ip adders and not restart 
your softphone or gateway., i means :  the the incoming calls  goes to  old ip 
, until the client re-register orput an outgoing call.

 

 

in the same way , for  the inbound connections to the servers ( a PBX or any 
other server too)  ,some similar can be made with iptables modules ,   it's 
quite simple,  former  set the policy to DENNY all connections and then enables 
just  according  ddns domains that you will accept ..

 

iptables -P INPUT DROP

iptables -I INPUT  -s my.first.client,inddns.service  -j ACCEPT

iptables -I INPUT  -s my.fsecond.client,in-other-ddns.service  -j ACCEPT

 

(  some specfication for ports and protocols may be added,   i dont include  in 
the example to make it easier )

 

after made this, only the  ip according to domains can connnect to server , 

 but at any time that the ips may change,  you   need to restart iptables 
services ,and the input filter will be refilled  with the ips according that 
domains defined on DDNS service ....

 

to restart  this at regular frecuencies in "automatic mode", just need to  
enable this task  in CRON service,   also  can be joined  with the  sip module 
reload   to update the host definition  in the  peer/users/friend  in the PBX , 
for that   must need include  any script  that  has this two lines for system 
excution 

 

sevrice iptables restart ( restarting iptables fedora /centos  style  other use 
init.rc  services)

asterisk -rx sip reload   ( relaod the sip modules , renewing the domain 
definitios for peers , be carefull that your PBX  systems must  resolve  using  
DNS service )

 

 and... that's all 

 

 now   can renew the ip  that can connect with the server and also the  host 
defined to make calls  

 

 

easy efecctive and cheap,   may be other solution betters ,, yeap....so more 
expensive too

 

Feel free to contact  off the list.

I hope that it can be helpfull.

 

Marcos

i...@calleasy.com.ar

 
                                          
_________________________________________________________________
Ahora Hotmail es un 70% más rápido. Para que chequear correos sea cada vez más 
fácil. Ver más
http://www.descubrehotmail.com/velocidad.asp 
-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-biz

Reply via email to